Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Which Files Were Affected by a Hack or Malware?

//
How can you determine which Windows files or registry settings have been compromised after your system has been hacked?

You cannot.

Once your machine has been hacked, it’s not your machine any more.

And yes, that sounds serious, because it absolutely is.

Become a Patron of Ask Leo! and go ad-free!

Summary

  • You cannot tell with certainty what a hack or malware may have affected.
  • The most common approach is to run repeated anti-malware scans.
  • The best solution is to revert to an image backup taken before.
  • The painful solution is to reinstall and start over.

Ramifications of compromise

Once your machine has been hacked, there is no approach that will tell you with 100% certainty exactly what the hacker (or malware) changed.

Assuming a sufficiently proficient hack, the hacker will have had access to absolutely everything. They could have changed anything, and they could have taken steps to explicitly hide everything they’ve changed.

There’s no way to know they haven’t hidden something you’ll never find. This is one of the reasons “rootkits” are so dangerous; they actually modify the system in such a way that they hide their very existence from standard file and folder listings.

Traditional solutions

The hand of a hacker What most people do is run scans with anti-malware tools or security packages in the hopes they’ll catch whatever was corrupted and repair it. Often this means running complete scans with their existing utilities and using additional tools in the hopes they’ll discover more.

Generally those tools catch a lot, it’s true. But there’s no guarantee they’ll catch everything.

Once you’ve taken the time to run all the tools, perform all the scans, or look in all the places that you might learn of to look in, there’s still no way to know that you’ve found everything.1

You know you were hacked.

Yet regardless of the steps you take, you’ll never know you’ve cleaned up from it completely.

Pragmatic solution #1: backup to the rescue

While we can’t prove that a machine is free of malware (even if it’s fresh out of the box), there are solutions we can take after a known compromise to improve the odds of having a clean machine.

The first approach is to back up your data to capture any recent changes, and then restore your system from a complete (aka system image) backup taken prior to the hack.

Of course, you can only use this solution if you’ve been creating complete backup images on a regular enough basis so as to be useful, and if you know when the hack happened. Most people fail the first criteria, sadly. The second can be difficult to determine, but more often than not there’s a sign or symptom making the compromise apparent.

Pragmatic solution #2: backup, reformat, reinstall

The second, more painful, approach is to back up your data2, and then:

  • Reformat and reinstall Windows from scratch
  • Reinstall all your applications from scratch
  • Carefully restore your data as you need it

If this feels painful, that’s because it is. It is time-consuming, but it’s often less time-consuming than struggling with a still-infected or unstable machine, and much more reassuring than not knowing if you’ve eliminated the threat.

And after you’ve done so, make sure to implement that full system backup strategy to make recovery simpler should this ever happen again.

Podcast audio

Play

Video Narration

Footnotes

1: You can’t prove a negative.

2: Again, this should have been happening all along, but many people fail.

Posted: May 22, 2019 in: Malware
Shortlink: https://askleo.com/77257
Tagged: , , ,
« Previous post:
Next post: »

New Here?

Let me suggest my collection of best and most important articles to get you started.

Of course I strongly recommend you search the site -- there's a ton of information just waiting for you.

Finally, if you just can't find what you're looking for, ask me!

Confident Computing

Confident Computing is the weekly newsletter from Ask Leo!. Each week I give you tools, tips, tricks, answers, and solutions to help you navigate today’s complex world of technology and do so in a way that protects your privacy, your time, and your money, and even help you better connect with the people around you.

The Ask Leo! Guide to Staying Safe on the Internet – FREE Edition

Subscribe for FREE today and claim your copy of The Ask Leo! Guide to Staying Safe on the Internet – FREE Edition. Culled from the articles published on Ask Leo! this FREE downloadable PDF will help you identify the most important steps you can take to keep your computer, and yourself, safe as you navigate today’s digital landscape.



My Privacy Pledge

Leo Who?

I'm Leo Notenboom and I've been playing with computers since I took a required programming class in 1976. I spent over 18 years as a software engineer at Microsoft, and after "retiring" in 2001 I started Ask Leo! in 2003 as a place to help you find answers and become more confident using this amazing technology at our fingertips. More about Leo.

10 comments on “Which Files Were Affected by a Hack or Malware?”

    • Don’t work. Here is why :
      A malware can, and often do, infect the restore points.
      The end result is that by using System Restore, you also restore the malware. EVEN if the restore point was created before the infection.

      Reply
  1. I’ve been working in the database field since the old days of DOS 3.0. Oracle now, but back in the DOS days it was the IBM Assistance Series. Those days were slow, but at least I had time to make a few sandwiches while waiting 🙂 .

    I am petrified of getting malware and viruses on my own PC. I know enough NOT to go clicking where I shouldn’t and I read and scrutinize every option on installation screens. I run “anti-this” and “anti-that” on my PC, but I’m still afraid all that is not enough these days.

    I use a backup company (starts with “Carb…”) but that only backs up my documents, music and videos. I’m going to bet some types of malware can plant itself inside some of these files. LEO… If I have to re-install windows, it seems as if if my backed-up files would need to be scrubbed before I download them from my back-up company.

    I’ve ghosted my PC twice to two separate external hard drives. I recall each time it took over 12 hours to ghost about 775GB. That’s a long time… and I’m sure the ghosting included all my documents too. LEO – Any suggestions for ghosting that will NOT include my files that are backed up to my back-up service? Or should I include EVERYTHING when I ghost my PC?

    Reply
    • Macrium Reflect or EaseUS Todo, Leo’s preferred system image backup software packages, should back up your system in a lot less than 12 hours. Depending on the specs (USB3?), it might be as little as an hour or two.

      Assuming you use Windows, I suggest a full backup is appropriate. If a lot of your storage is consumed by music and videos, you might create a “backedup” folder for each, move your current files into those folders and exclude them from future backups.

      Reply
    • Some backup programs allow you to skip backing up certain files and folders. I’m not sure, but I think the paid version of EaseUS has that feature. Another way to prevent files from being included in a backup is to place them on a different drive or partition.
      Personally, I don’t like that option as I don’t trust an online service as my only backup.

      Reply
  2. I see that you are recommending Malwarebytes Anti-malware.

    Is Malwarebytes Anti-malware superior to Microsoft Security Essentials (MSSE)? There was a time when MSSE was considered pretty much the the ultimate tool for finding and blocking malware. Is this no longer true?

    Reply
  3. Another great piece of advice on a problem that has been seemingly covered for a million times from all possible angles… but this one was not.

    Reply
  4. “While we can’t prove that a machine is free of malware (even if it’s fresh out of the box)…”

    Especially if it’s a Lenovo computer. Do a Google (or better yet, DuckDuckGo) search for Lenovo Preinstalled Malware.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.